Analysis
-
max time kernel
78s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 15:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://getsolara.dev/
Resource
win10v2004-20240802-en
General
-
Target
https://getsolara.dev/
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bootstrapper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Bootstrapper.exe -
Executes dropped EXE 1 IoCs
Processes:
Bootstrapper.exepid process 5244 Bootstrapper.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exeMsiExec.exepid process 1552 MsiExec.exe 1552 MsiExec.exe 6040 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 224 5604 msiexec.exe 228 5604 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 75 api.ipify.org 77 api.ipify.org 83 api.ipify.org -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIAA16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAA66.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAF78.tmp msiexec.exe File created C:\Windows\Installer\e589611.msi msiexec.exe File opened for modification C:\Windows\Installer\e589611.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAA55.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{9051E629-A49C-432C-A118-7AE46D37897D} msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 382324.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeBootstrapper.exemsiexec.exepid process 3704 msedge.exe 3704 msedge.exe 3616 msedge.exe 3616 msedge.exe 2720 identity_helper.exe 2720 identity_helper.exe 4668 msedge.exe 4668 msedge.exe 6052 msedge.exe 6052 msedge.exe 5244 Bootstrapper.exe 5244 Bootstrapper.exe 5244 Bootstrapper.exe 5604 msiexec.exe 5604 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Bootstrapper.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 5244 Bootstrapper.exe Token: SeShutdownPrivilege 5592 msiexec.exe Token: SeIncreaseQuotaPrivilege 5592 msiexec.exe Token: SeSecurityPrivilege 5604 msiexec.exe Token: SeCreateTokenPrivilege 5592 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5592 msiexec.exe Token: SeLockMemoryPrivilege 5592 msiexec.exe Token: SeIncreaseQuotaPrivilege 5592 msiexec.exe Token: SeMachineAccountPrivilege 5592 msiexec.exe Token: SeTcbPrivilege 5592 msiexec.exe Token: SeSecurityPrivilege 5592 msiexec.exe Token: SeTakeOwnershipPrivilege 5592 msiexec.exe Token: SeLoadDriverPrivilege 5592 msiexec.exe Token: SeSystemProfilePrivilege 5592 msiexec.exe Token: SeSystemtimePrivilege 5592 msiexec.exe Token: SeProfSingleProcessPrivilege 5592 msiexec.exe Token: SeIncBasePriorityPrivilege 5592 msiexec.exe Token: SeCreatePagefilePrivilege 5592 msiexec.exe Token: SeCreatePermanentPrivilege 5592 msiexec.exe Token: SeBackupPrivilege 5592 msiexec.exe Token: SeRestorePrivilege 5592 msiexec.exe Token: SeShutdownPrivilege 5592 msiexec.exe Token: SeDebugPrivilege 5592 msiexec.exe Token: SeAuditPrivilege 5592 msiexec.exe Token: SeSystemEnvironmentPrivilege 5592 msiexec.exe Token: SeChangeNotifyPrivilege 5592 msiexec.exe Token: SeRemoteShutdownPrivilege 5592 msiexec.exe Token: SeUndockPrivilege 5592 msiexec.exe Token: SeSyncAgentPrivilege 5592 msiexec.exe Token: SeEnableDelegationPrivilege 5592 msiexec.exe Token: SeManageVolumePrivilege 5592 msiexec.exe Token: SeImpersonatePrivilege 5592 msiexec.exe Token: SeCreateGlobalPrivilege 5592 msiexec.exe Token: SeRestorePrivilege 5604 msiexec.exe Token: SeTakeOwnershipPrivilege 5604 msiexec.exe Token: SeRestorePrivilege 5604 msiexec.exe Token: SeTakeOwnershipPrivilege 5604 msiexec.exe Token: SeRestorePrivilege 5604 msiexec.exe Token: SeTakeOwnershipPrivilege 5604 msiexec.exe Token: SeRestorePrivilege 5604 msiexec.exe Token: SeTakeOwnershipPrivilege 5604 msiexec.exe Token: SeRestorePrivilege 5604 msiexec.exe Token: SeTakeOwnershipPrivilege 5604 msiexec.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe 3616 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3616 wrote to memory of 3372 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 3372 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1184 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 3704 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 3704 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe PID 3616 wrote to memory of 1196 3616 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getsolara.dev/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c4146f8,0x7ffe3c414708,0x7ffe3c4147182⤵PID:3372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:1184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:1196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2980
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:4656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:1236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:2248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3552 /prefetch:82⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3756 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:12⤵PID:5684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6540 /prefetch:82⤵PID:5860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:82⤵PID:5960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,9195013783899397135,4999782205540958420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6052 -
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5244 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5592
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4764
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5604 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B3B5A866A9E78E545A244CB5401E58F52⤵
- Loads dropped DLL
PID:1552 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 347332D7545766C1F7EF92A398F168652⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize672B
MD573233a5c9ee47886f7c97c4ae6e603f1
SHA153545da640d70d0bedd51a6385fe17673fb9920c
SHA256c761345bd2a92bd79161ce1085c9196d78efc6324c591e58c6febafe2be91221
SHA51259bcee661d6a67242403edbf2a4b86f38054fb332192cab608446c22ebdc938a7dc8d675b03e70257ceebf771c39a736eb252e18d660f2021e11d4eda9480d4c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD57a44c1e608729014818e2159b744d4e4
SHA1b8a47da67951d53b8aaa9d337780aa4b238bfdd7
SHA25699aae4736e58bd1fbb17f88441e6f4c8cecad07384bac7a8396b7e76838a971c
SHA512b6bd7c5ee05e8a103e6d53acad6c940f97d51589b02ad0d58c6acdd4a8a4807523749ac989718aa770730fa6014635038d2d5c3b2223b6fd811ce22bcb46b0c5
-
Filesize
5KB
MD5b44845c09889c1eb1a2443ff2f492cb2
SHA1780f47dba8e6ba1b1a01c050c87d4150685bb2e6
SHA256cb96f7e8c5352400436ce08c134cfac68a7fc94339484434c328c17756a1ab6a
SHA512daa680ca97191d6b1c755eabdbaddf13d46b0aa3fad63ff727992ffe5221eac0087448c61460eb423c87926f911f6507b3b76b126a2e78f744885b3e404403f8
-
Filesize
7KB
MD58be513e5bdaa8dcc18593616255d6c36
SHA143506eb9aa46be8419ea0b98c4209d63a74aad97
SHA256df80acf51cb7950767ef77109ba2cf21cbe7d23260a7f35326cd64b311f4eb0d
SHA5121d421a138ff24f7272168cd4f229115c775a008a19c5e0fe405aab30a32e554311d6bc2233cce4c59bee43d4b1dc0cff87941162fb073c57642757c1aca7be7d
-
Filesize
8KB
MD5b40ab9253e128d9209bf556a27fddd8e
SHA14b5bb5ddc075069313bb455120291d13bba81ff2
SHA256e1b66ac7fb47c9eafb5593ceb729aec6b2ba5e210a05507f4d8810518050671b
SHA512ffe4c195e9cb44f5835d579efa59ba0481424ca5262ccf760a626b2aad9c83b2156cdf729789575f4eae66efcbdab8d528160236ba7254e992a37ec4e8061ce7
-
Filesize
8KB
MD56ee75f4d8b13c2b098b878f9d28a99c1
SHA16ac735a2c11daca7fea499bcace8abfb2b1181e1
SHA256c6fb4d48f642aa11e056fd508bfd0fbb8eb7632a6aad685c2be721d901ce358f
SHA512006b5a41f8a301774dfee1e52b6da6a82ead61313132464c689f465ba72ceab5850d6b262150b0098f2903c23098d8f8d6d186cb07dd572535e7b4f4bbdc4efe
-
Filesize
1KB
MD526356d6dd3371ba5991a6a764367bd71
SHA14b1c6b42013ebce71f38025d8196baa350630c46
SHA256e51b848252d2b9cc1a154d0f7451a24eeac51be20b0bbc037a03975debdb457d
SHA512845e30a4bb6928d5ba78066396193f533b6ebda35ff0747c8a0196f6d29578a37557a49a60c0977567cf338fa7f252dbbb42fb9a5f7e7f1bd0ee4a7f12ff4034
-
Filesize
1KB
MD52046cf77b92ccb4f770fd2055abfe3db
SHA1343a53a001916b1bac8bbe20ce335e9e143308af
SHA25621521034b7df4b6899fa1303b381c79fa165aad6bdd991ee306585ac0960f876
SHA5123b298278975f4e57a03f4600756195090abbd9978d8e84ed309780e6dedaadf7ef0e97924e70866016bbfb2ed8896c08ada7903d27580de006e55ab569b88aa6
-
Filesize
1KB
MD52e6a3e96db1a38c33f4f72a2a8e521af
SHA156303b1e85582b162d963cc18411884fb8768000
SHA2568e3a9355fab2372815361a8e003a8056ce87d8c4e838d0dee7c7cacf469c7d8d
SHA5125c46cb5c4d2e20f28f58bdc907e3169680745c5318e808a722183ec693e39017fcf93f1c4dc886ca2938fe9168ec24a16952b4c35a0d9ff15e30febf22915ad1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50111cb998d1176bcb491a292d0b52a2d
SHA14cb520215261fe325be6af70e7b47da4db6ed750
SHA256b5bd9ad9a4425c0114eeed3476951fd42c7c4c048d0badbd979e5b793606af6b
SHA512e62b98da933dcf042d1cac358af19ac2c4b3b59acd70b5f40da8687860e60560f683e08a44bee2502959ebc08145e81287539ff2c4f575b0ca3e983c58e76070
-
Filesize
12KB
MD5c96578ca90a9121ef665064e048daf5c
SHA112b2479e297b0ff3f48ddac6dd6e1babf7453019
SHA256942d0856640e8445099a257d7838f121255f135ccf0f07538a4841fccb9b98c5
SHA51274e545c5407cfbafa30d0154328b45609da3d7f3bfbae4e4cc53a2000fdd44d3239165fd16aaf02d25cff296352a82d37ab9508ba54604aa8f0f6975eb65f585
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
796KB
MD576639ab92661f5c384302899934051ab
SHA19b33828f8ad3a686ff02b1a4569b8ae38128caed
SHA2566bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178
SHA512928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e